Ive been using Sygate Personal Firewall Pro for awhile and cant find an option to block ping/icmp attacks. Does anyone know a rule I can create so it will block them?

Click to expand...

Does Sygate not block this by default? Are you seeing ICMP permitted that you do not want?
You may need to check your application rules. Advanced rules could be created that would be applied before anything else.

Sygate does indeed block icmp type 8 inbound, not sure about the other types though. To configure it yourself, you would just create advanced rule(s) yes.. I think the free Sygate has a rule limit, but there should be plenty of room for a few icmp rules.

I would allow 8 out, and perhaps 3 out to dns servers.
And I would allow 0, 3, 11 inbound.
Block all other icmp both directions.

First off I'm on dial up, XP SP1, bandwidth 85-90 Kb (average), using Syagte Free 5.5 build 2710.
Are you seeing any outbound ICMP in your Traffic Log after a cold boot? I do, from svchost.exe, with XP. So I have svchost.exe blocked in the Application Rules.
If you block svchost in Application Rules then you must then create Advanced Rules for UDP services, like DNS, NTC, etc. which are child processes of svchost.exe. Broadband has other UDP services that must be allowed, which one(s), I don't know. Also make sure that under Applications, within the Advanced Rules tab, that you select svchost.exe for DNS, NTC, etc.
Depending on what software you run you may get by with blocking all ICMP, but some programs must use ICMP, mainly pinging utilites, like Ping Plotter, IMHO a "must have".
I don't know why you're being pinged that frequently. I never am, on dial up.
You can of course disable the ICMP protocol by going to the Advanced Rules window and create a global rule, which overides all application rules.
Final thought, deny every program in the Application Rules to "act as server". This may break some programs, depending on your apps, but if so then immediately check your Traffic Log for the block and then allow "act as server".
Hope this helps.

The "correct" configuration of ICMP filters in a firewall is hotly debated. The problem is that ICMP are the "control messages" for TCP/IP. If you block some incoming ICMP, then you will break communication.

The absolute minimum ICMP traffic to allow is the packets dealing with TCP path MTU discovery. Fragmenting a stream is more efficient at the TCP layer rather than the IP layer, so the TCP layer will try to discover when IP packets are being inadvertently fragmented. They do this by setting the "DF" (Don't Fragment) on all outgoing packets. When a router cannot forward the packet because it is too big, rather than fragmenting it, it sends back a "fragmentation needed" ICMP packet (type=3/code=4). The TCP stack then starts sending smaller IP packets, segmenting the data at the TCP layer rather than allow routers to fragment at the IP layer. Therefore, firewalls must be configured to allow incoming ICMP type=3, code=4 packets.

To Crazy M and Kerodo:
One can, with the Sygate build I'm using, in the Advanced Rules with ICMP selected, either permit or block basic, common ICMP traffic, in either direction, or both, but no sub codes. Falls way short of Kerio 2.15 and CHX-I. I'm still tempted to run Sygate and CHX-I in tandem, just for the stateful packet inspection of UDP and ICMP that CHX provides.

I don't think you can set icmp sub codes in Kerio 2. You can in others like Jetico for example.

CHX and Kerio make a great combo if you don't mind a little double filtering of browser traffic etc. But both are fast and you shouldn't notice any speed degradation. I have run both before with success and liked it..

I have also ran CHX with Sygate.

In both cases however (CHX/Sygate and CHX/Kerio), Kerio or Sygate will get the traffic first and filter it before CHX. Then, when you check the CHX logs, you will see an occasional packet blocked due to CHX's slightly stricter SPI.

Speaking of Sygate, does anyone know what's up with Sygate Pro 5.6? I checked their forum and there's no posts on the beta for over a month now. And it looks like the current beta is 2-3 months old. But when you download it, it says it's good for 30 days.

Does anyone know if they have abandoned the home market completely? Or if there is any work being done on the Pro 5.6 at all? Not to mention there has been no comment on the age old loopback issue either.

Sygate has TCP SPI only, right? CHX has TCP SPI and also UDP and ICMP pseudo SPI. So I would think that CHX would complement Sygate a little. I did run both here so I know they can coexist ok. Sygate seemed to filter packets first, then CHX. Occasionally you would see a packet or two in the CHX logs that Sygate either missed or didn't handle as well as CHX.

To Keredo,
Yes, TCP SPI only with Sygate, and all other software firewalls, except for CHX-I, as far as I can determine. Anyone know otherwise, please post with documentation.
Maybe Stephan will reply.

I can't post documentation (because I'm lazy ), but many of the other firewalls have SPI or pseudo SPI for UDP also. A few examples are Kerio 4, Jetico, ZA, Outpost Pro, there are also more I'm sure. It is more common to have than to not have these days...

If you want simple for CHX, I'd try downloading the sample rule set on their web site, and then turn on SPI for TCP/UDP/ICMP (and logging) in Interface Properties. That will allow all outbound and only what SPI allows inbound. You can control outbound with Sygate's app control.